Pokemon Go Cheat Fools GPS with Software Defined Radio

Using Xcode to spoof GPS locations in Pokemon Go (like we saw this morning) isn’t that much of a hack, and frankly, it’s not even a legit GPS spoof. After all, it’s not like we’re using an SDR to spoof the physical GPS signal to cheat Pokemon Go.

To [Stefan Kiese], this isn’t much more than an exercise. He’s not even playing Pokemon Go. To squeeze a usable GPS signal out of his HackRF One, a $300 Software Defined Radio, [Stefan] uses an external precision clock. This makes up for the insufficient calibration of the HackRF’s internal clock, although he points out that this might also be fixed entirely in software.

Using SatGen and a conversion tool that comes with the software-defined GPS signal simulator gps-sdr-sim, [Stefan] turned a *.KML-exported GoogleEarth path into a *.CSV file that can be played back by the GPS simulator.

After firing up the GPS transmission, he found his avatar running happily through the Pokemon world. Someone still has to write the code that lets you navigate freely and actually catch ’em all, but it looks doable, and we are curious to see how and if it will affect the game. For the novice SDR cheater, [Stefan] has some extra advice: Disable A-GPS on your device and use a signal attenuator on the SDR (a shielded box should do).

A legit GPS spoof might still exceed the efforts and investments the average player might want to undertake. Meaning, that if done right, you might actually get away with it. If done wrong however, the legal consequences might be even more severe. But how many players will actually go so far to try this? And will Niantic be able to reliably detect SDR cheaters? What do you think? Let us know in the comment section!

Thanks to [sabas1080] for the tip!

59 thoughts on “Pokemon Go Cheat Fools GPS with Software Defined Radio

    1. *BLINK* Hells Bells! I’ll start my local chapter of Cthulu Cultists For a Better Tomorrow now if there’s as many cruise missles and submarines to mess with outside my house as there are cell phone wielding pokemon hunters nearby.

    2. They typically use encrypted GPS/GLONASS for obvious reasons. It could disable the cellular network though, the base stations often use GPS as a timing reference. There is a local holdover clock so it would only cause trouble after some time.

      Niantic may be able to detect the SDR spoofing if the satellites are not correct. With a spoofer it is possible that you see satellites that would be under the horizon at your current time and place. The signal strength of the sats may also be too high, and too consistent (all approx the same power, since they come from the same transmitter).

      1. Maybe it could, but it’s not for apps to check things like that, I would be pretty sure it just takes uses the system’s GPS calls and takes what it’s given, with maybe some basic anti-cheating built it. Actually reimplementing GPS, doing all the maths and ephemera and whatever else by itself, is probably asking a bit much.

        Unless it’s driving the GPS chip itself, it’s going to rely on system libraries at some level, and that’s where you put the spoofing in.

        1. Correct, I know for sure that on iOS it is not possible to view the received satellite constellation. Apple only allows the use of their own location API and it does not allow to view raw GPS data. Also there is no function to retrieve satellite info. It is highly abstracted.

          On Android it could be possible but really, this cheat requires so much hardware and knowledge that I doubt it will cause a real-world problem where many gamers get an in-game advantage.

  1. You could easily detect GPS spoofing by collecting data from other sensors like compass and accelerometer. In order to have a chance to get away, fake data should also be sent to those sensors, too. If you get movement from the GPS for some time and the accelerometer and compass show no movement, there is a sign that the user may be spoofing the location.

    AFAIK, the spoofing detector implemented in Ingress (Niantic’s first game) does that and I don’t see any reason why it wouldn’t already be implemented in Pokemon Go.

  2. I think a better way of spoofing would be to provide an offset to the actual GPS data. “Teleport” to London, walk around your real city, but the map would show London. Do this with the ability modify your actual rate of travel (walk 5ft IRL, move 25ft in game for example), and you could explore anywhere, quickly.

    1. Walking through a real city carrying a GPS spoofer is probably not a great idea.

      Also, you’d be jamming your own GPS reception (you’d use to get your real location) so you’d have to make sure the antennas are well separated.

      1. i put mine on a PTZ camera and make the camera spin. hatched two eggs today while i worked. Since gps is not accurate the software detects motion as well for walking. but max walking speed is like 15mph. so a zipline with a motor would be much better!

  3. the GPS chip on my phone died long ago due to heat at the beach. I use a nokia external I had many years before that whenever I need. It farts a string over essentially a UART BLE module. What’s the betting if I did play poke-a-man I’d get banned? Only one way to find out

  4. Great. Ingress has a big enough problem with spoofing without providing ideas and information to the point and click script kiddies.

    Transmitting on 1.5GHz requires a ham radio license and blocking GPS signals usually constitutes a crime.. Use of this software should be restricted to direct connected close loop systems or inside a properly shielded environment. Although I suspect that if you are cheating at a game then following the rules isn’t one of your strong points.

    1. Actually even with a ham radio license (I have one) you can’t legally transmit on 1.5Ghz. Only on the bands that are assigned to HAMs and the GPS band isn’t one of them of course.

      Having said that, if you keep the power low enough and couple properly to the phone’s GPS antenna, you could do it without any leakage.

      Considering the expense to go to for this I doubt there will be many using it for actual pokemon cheating though. You need an SDR capable of transmitting in this band and those are 100-200 $/€ at the very least.

          1. Never say never. Quite a few countries allow uncoordinated low-power repeaters on the GPS band. This is often used to get a GPS signal deep indoors. Doesn’t work for positioning as all receivers get a fix to the position of the outdoor receive antenna, but at least their ephemeris and almanac is current, so when you go out you have a valid fix instantly. Also useful in lab settings.

  5. Soooo… I can spoof random GPS locations at a PokeStop and make everyone playing nearby banned.

    “Remove that pesky Pokemon Trainers form you lawn!, Get your pokerepeller now!”

    (Yes it would be illegal, yes it’s also careless)

    1. exactly as i think you can hack it. use serial gps external. or in the case of that product. probably bluetooth gps connection. but why use real gps when you can just fake the bluetooth serial data? remove the drone replace with virtual drone!

  6. okay even better solution to the gps spoof location. why not hook up external serial gps? all you need is to get that data and then use an application to send the serial from say your pc? Maybe ill do it and not talk about it. i have old android phone i can use to test with. if it can run pokemon go. should be simple enough. looks like there are solutions online to setup external gps devices. just dont use a gps fake it. it’s only gps data sent serially.

    1. Android can only receive external Bluetooth gps via the mock location api that can be enabled under developer settings. this is the same mechanism fakers use and what niantic detects as an anti cheat system in the android version of the app as the android api does include a simple check for mock locations being enabled. That check is then too dumb to distinguish what source is providing the mock location and therefore can’t tell between a faking app and a Bluetooth gps.

      Workaround. Root the phone, install Xposed and an Xposed module named “mock mock locations” which forces any mock location check to return false yet allow mock locations to be used. This is what I’ve been doing as my android device lacks gps and witha legit copy of the game running on brother and sisters phones we’ve established that there isn’t a Pokemon spawn within 4 miles of us or a gym within 5. unlike most cheaters I’ve been reasonable in limiting myself to one area though rather than globetrotting.

    1. Set up a sprinkler system activated by a motion sensor.
      Or just stand there with a hose.

      They’re everywhere now!
      Recently someone crashed into a police car while playing the game.

    2. If I had the time to do some reverse engineering id create an open wifi hotspot and redirect all connections going outbound to a local server and make a bunch of really crappy pokemon spawn without allowing them to catch them.

      1. That’s really funny to me for some reason.

        Or, have an army of Mewtos or whatever flying around like sparrows. I don’t know what playing the game looks like; trying to avoid it.

  7. Comparing cell tower location (based on triangulation) and GPS location should be relatively easy… Once you see that data doesn’t match, then the ban could be issued… maybe even automatically….

    That said, VPN is a real thing…

  8. What if you open a smartphone, remove the GPS antenna cable and connect it to a PC USB? Could the signal be faked this way? Do GPS antennas share the same protocols or are they model dependent?

  9. A method I’ve been using since about the 3rd hour of installing the game was to use wifi AP data from wigle.net to using the wifi location system to teleport me around the local area. Just download the access points around a long/lat of your choosing and fire it through mdk3. Works a treat so long as you block the gps signal (the layers of lead paint in my house does a fair job of that, some earthed aluminium foil does the rest)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s